This deployment guide is meant for Cisco AI Endpoint Analytics adoption for customers, partners and everyone focusing on Endpoint Visibility and to how achieve it with Endpoint Analytics. It has sections that discusses integration with ISE for policy enforcement and best practices to define segmentation policies for SDA.
This does not cover topic such as Authentication Authorization and Accounting or full SDA integration that is currently beyond the scope of this document.
Visibility is the first step towards securing an endpoint. Key to endpoint visibility is the ability to successfully identify and classify different types of Endpoints that are IT and IOT devices.
Cisco AI Endpoint Analytics is a solution that detects and classifies endpoints/IOT devices into different labels such as (Endpoint Type, Hardware Model, Manufacturer, OS Type). This can be called as Multi-Factor Classification (MFC) or assigning multiple labels to endpoints. A big advantage in doing this to categorize endpoint by variety of ways that can be used in enforcing access policies from ISE.
AI Endpoint Analytics engine and the user interface runs on Cisco DNA Center on prem. It assigns labels to endpoints upon receiving telemetry from the network and other sources. Here is a diagram showing Multi-Factor Classification(MFC)
The first version Endpoint Analytics uses three key sources of endpoint meta data.
Endpoint meta data collected from two primary sources(Cat9k/Telemetry Sensor and ISE) are fed into DNAC and Endpoint Analytics for assigning labels to IT and IOT devices as mentioned above. Here is a sample deployment picture with Endpoint Analytics that will give you an idea of components included.
AI Endpoint Analytics upon assigning labels sends the context over to ISE for authorization. ISE uses these labels to create custom profiles to be used in Authorization policies. These authorization policies are policy decision points to enforce network access across the enterprise.
Deep Packet Inspection from Cat9k/Cisco Traffic Telemetry Appliance:
Network Based Application Recognition(NBAR2), is an embedded technology built-in to switches (e.g.: Cat9k access switches) that can detect and analyzes Layer 7(Application layer) packet data from a variety of IT and IOT protocols(around 1500 protocols) along with specific network and transport layer information from associated endpoints.
These protocols include standard application protocols used in enterprise(e.g.: browser, email, chat, voice/video). For Enterprise IOT devices, to name a few NBAR2 supports Building Automation protocols(BACNET), IOT Messaging(MQTT etc.), mDNS (Multicast protocols) and other protocols. For Healthcare it supports DICOM, HL7 etc. used for imaging and electronic records storage and retrieval etc.
Further, Software Defined Application visibility Controller (SDAVC) agent collects endpoint information from the network using CDP/LLDP and SNMP.
NBAR2 can also be used for application visibility/QoS in Cisco DNA Center and is supported in variety of platforms(Cat9k access, Cisco Traffic Telemetry Appliance (TTA). In this document we will focus on use of NBAR2 towards Endpoint visibility.
Telemetry Sensor is nothing but Cisco TTA appliance running IOSXE. This is meant to replace Cat9k DPI functionality as explained above when using legacy or 3rd party switches that does not have NBAR2 embedded. This is used to collect network traffic using SPAN/Tap connections from the distribution switch.
The diagram below is a very simplified representation of the topology that has both Cat9k and Cisco Telemetry Traffic Appliance sending information to Cisco AI Endpoint Analytics.
ISE Discovery Mechanism and probe data:
Identity Services Engine is a software appliance used for visibility and profiling IT assets and Network Access control. It collects endpoint meta data from IT systems using traditional protocols such as RADIUS, DHCP, SNMP etc. to detect IT assets in an enterprise. ISE probes such as Active Directory, Mobile Device Manager, Anyconnect(ACIDEX extensions) provides additional value to the asset information gathered by Endpoint Analytics.
Service NOW (Configuration Management Data Base – CMDB)
Service NOW is a configuration management database that is a repository of asset information in an enterprise. Endpoint Analytics will have the capability to only receive asset information from Service NOW and in future will provide bi-directional support. Endpoint Asset information from Service Now can be used by Endpoint Analytics to profile an endpoint.
AI Endpoint Analytics can be deployed in the following ways and their combinations.
Here is an example of Wired network topology with Cat9k Access switches.
Here is the same topology using Cisco TTA (Telemetry Sensor) via legacy switches/non-Cisco switches
The AI Endpoint Analytics deployment guide documentation is not an install guide for DNAC. For full installation of DNAC please check
Welcome to the Maglev Appliance
Log in with the maglev user from the CIMC console or connect using an SSH session to the host IP address as assigned during the installation and destination port 2222.
maglev-master-1 login: maglev
[Type in Cisco DNA Center CLI password assigned during installation]
(Optionally) If you find the services not running.
Login to the DNAC CLI using SSH.
The versions should be as in the “About” section in the UI discussed above and the status should show deployed.
$ sudo maglev package status
[administration] username for 'kong-frontend.maglev-system.svc.cluster.local': admin
[administration] password for 'admin':
maglev-1 [main - https://kong-frontend.maglev-system.svc.cluster.local:443]
NAME DISPLAY_NAME DEPLOYED AVAILABLE STATUS PROGRESS
access-control-application Access Control Application 2.1.260.62555 - DEPLOYED
ai-network-analytics AI Network Analytics 220.127.116.11 - DEPLOYED
app-hosting Application Hosting - 18.104.22.168727 NOT_DEPLOYED
application-policy Application Policy - 2.1.260.170177 NOT_DEPLOYED
application-registry Application Registry 2.1.260.170177 - DEPLOYED
application-visibility-service Application Visibility Service 2.1.260.170177 - DEPLOYED
assurance - Base 22.214.171.1243 - DEPLOYED
endpoint-analytics AI Endpoint Analytics 126.96.36.1990 - DEPLOYED
group-based-policy-analytics Group-Based Policy Analytics 188.8.131.52 - DEPLOYED
ssa Stealthwatch Security Analytics 2.1.260.1095096 - DEPLOYED
system 1.5.208 - DEPLOYED
system-commons System Commons 2.1.260.62555 - DEPLOYED
umbrella Cisco Umbrella - 2.1.260.592206 NOT_DEPLOYED
wide-area-bonjour Wide Area Bonjour - 2.4.260.12079 NOT_DEPLOYED
[Mon Oct 12 21:04:36 UTC] firstname.lastname@example.org (maglev-master-10-1-100-110) ~
You can use other commands to check the appstack (magctl appstack status), service (magctl service display) for troubleshooting.
Verify the logs from Settings >System 360. Click on Services and endpoint-analytics
To follow/tail the current log of any service, execute the following command in the CLI
magctl service logs –r -f <service-name>
This guide assumes that Cisco ISE is already in production /lab and not already integrated with any Cisco DNA Center instance.
Endpoint Analytics service requires ISE to be upgraded to one of the supported versions / patch levels. This a pre-requisite for DNAC integration with ISE
ISE setup should have been configured for authentication, authorization for 802.1x/MacAuthBypass.
First and foremost, make sure that the “Profiling” service is enabled in ISE and network devices are configured to send probes to ISE. Refer to the following document for further details: ISE Profiling Design Guide
For ISE integration to complete, please make sure DNAC can use ISE Fully Qualified Domain Name (please update DNS host/pointer records for ISE for this to function) while adding ISE as AAA server. This needs DNS to be configured in the environment. Adding ISE server, creates a pxGrid certificate in ISE that has DNAC MAC address in the Subject Alternate Name(SAN).
Use the following documentation for DNAC to ISE integration
Turn on ISE pxGrid service, and pxGrid probe is turned on.
Make sure ISE IP/FQDN are in the certificate and is DNS resolvable. Add ISE in DNAC from Settings, Menu > Settings > Policy Servers
You would see the following in ISE UI, when you go to Administration > pxGrid Services. Notice that the “dnac” has new publications “endpoint asset”. This is meant to send the classifications back to ISE.
Approve the “DNAC” pxGrid clients if they are Pending from the “All Client’s” tab.
Status of ISE will be ACTIVE in DNAC after you approve the client.
The network device(s) need to be managed and SD-AVC configuration provisioned by the Cisco DNA Center Appliance.
Make sure to back up your network device configuration before provisioning.
Before you configure SDAVC make sure you turn on AI Cloud so that the probe data is passed to ML for learning.
All connections to the cloud are outbound on TCP/443; no inbound connections (our Cloud will not be initiating TCP flows towards Cisco DNA Center).
Fully Qualified Domain Name (FQDN) to allow/whitelist in the HTTPS proxy and/or firewall is:
Cisco DNA Center must also be able to perform DNS lookups for the cloud server addresses.
Connections to our cloud servers may also go through a proxy (explicit or transparent) if required. The proxy server setting, if any, is inherited from Cisco DNA Center.
For Machine Learning(ML) to be enabled, DNAC should be tethered to the AI cloud. This needs cloud communication that requires cloud registration.
Once the steps above are completed, go to the Cisco DNA Center appliance web UI to complete the AI Cloud registration:
Click on Configure and enable Endpoint Smart Grouping and AI spoof detection option.
Endpoint Smart Grouping uses AI/ML cloud to cluster unknown endpoint to help admins label the endpoint. This is very useful to reduce the net unknowns in the network.
AI spoof detection is an option that helps Cisco gather netflow information from your network(when enabled) and helps in modeling the endpoint.
Choose the right region based on your location. The cloud connection verification is done and you will see a green checkbox when the connection is successfull.
Note: If the connection is unsuccessfull, check your proxy settings in DNAC by going to System > Settings > System Configuration > Proxy config
Once the registration is completed a pop-up message will show up:
In DNAC, Click Menu > Design > Network Settings and enable telemetry for DNAC to collect netflow. Enable DNAC as collection server if the network devices sends the flows to DNAC else use the option to add a different netflow collection server.
This is supported in Cat9k access switches. This is used for ML to collect data for modeling.
Go to Menu > Provision > Inventory > Select the site, the switch.
Click Actions dropdown > Telemetry > select Enable Application Telemetry. This enables netflow on all the ports. If you want to selectively do it only on certain ports use the following CLI commands. You can also add descriptions to the switchports use key words ‘lan’, that will push the configuration only to those ports.
Manually configured netflow on the device
Interface GigabitEthernet1/0/13. --- access ports
ip flow monitor fnf-avc-mon input
ip flow monitor fnf-avc-mon output
flow exporter DNAC
destination 10.62.140.77 DNAC IP
transport udp 6007
option interface-table timeout 10
option vrf-table timeout 10
option application-table timeout 10
option application-attributes timeout 10
flow monitor fnf-avc-mon
cache timeout inactive 10
cache timeout active 60
flow record fnf-avc-ipv4
match ipv4 version
match ipv4 protocol
match application name
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match flow observation point
collect flow direction
collect connection initiator
collect connection new-connections
collect connection client counter packets long
collect connection client counter bytes network long
collect connection server counter packets long
collect connection server counter bytes network long
collect timestamp absolute first
collect timestamp absolute last
Please see Appendix-2 at the end of the document for a complete check list of items that needs to be configured and verified.
SD-AVC on supported IOS-XE platforms provides the telemetry to provide high fidelity classification of endpoints.
SD-AVC can be deployed with the following network devices:
Customers using Cat9k and SD-AVC functionality to gather telemetry from the endpoints should upgrade the switches to IOS-XE-17.3.1 version. This should be in advance before deploying and integration of DNAC/Endpoint Analytics service.
Technology Package License Information:
Current Type Next reboot
network-advantage Smart License network-advantage
dna-advantage Subscription dna-advantage
The switch should be configured for 802.1x / MacAuthBypass. MacAuthBypass allows ISE to authenticate using the MAC address of the IOT devices but will allow or deny access based on authorization. Profiling is used to identify and classify the IOT device that will be reauthorized to provide the right level of access.
Following steps describes steps to add a network device to DNAC, provision the configuration and enable the CBAR.
Cat9k-DNAC-DCS#sh avc sd-service info summary
If Endpoint Analytics and DNAC does not get SD-AVC data, it could be a provisioning error. If the network device was managed by another DNAC server, then you need to clean up the certificate from the switch and add it again.
Cat9k-DNAC-DCS#sh avc sd-service info summary
This is an appliance from Cisco that does Deep packet inspection where you have legacy and non-Cisco network devices. This requires Layer 2 traffic to be sent to the appliance for NBAR and Deep packet Inspection.( Appliance has the PID for ordering: DN-APL-TTA-M.)
If using Telemetry box, this need to be connected to the distribution layer via 1 SPAN port( L2 Traffic, Discovery) for a single distribution switch.
Below you can find information on ports and connections used in Cisco Traffic Telemetry Appliance(Cisco TTA). The blue cable in the chassis picture was connected to GE1 when the picture was taken. This need to be connected to GE0 as shown in the connection diagram below).
Gi5 is for Management, Gi0 is backup. Interface Gi0/0/1-4 and Te0/0/0-1 is used for SPAN on Cisco TTA.
If you have multiple distribution you can use both the 10G or four 1G ports for mirroring your traffic via SPAN and
send endpoint traffic from different VLANs.
Note: Cisco TTA supports up to 40,000 endpoints in an appliance.
Allow endpoint’s VLAN’s in the SPAN or remote SPAN from your distribution switch. Note that VLAN 1 is used to send discovery(CDP, LLDP) traffic. From your aggregation switch enable SPAN using following commands. If your IOT endpoints are in VLAN 10, 20, 30 configure the following. The example below shows gigabit Ethernet port. Same configuration applies to Ten Gig ports as well. You can use VLANs or Interfaces as source.
switch(config)#monitor session 1 source vlan 1, 10 , 20 , 30 both
switch(config)#monitor session 1 destination interface gigabitEthernet 1/0/x
switch#do show run | inc monitor
monitor session 1 source vlan 10 , 20 , 30
monitor session 1 destination interface Gi1/0/x
On the Cisco TTA, Gi0/0/5 is used for management, to send Telemetry data to DNAC.
Here are the commands you need to execute on the appliance before adding to the DNAC inventory.
Cisco-TTA(config)#enable password <password string>
Cisco-TTA(config)#aaa authentication login default local
Cisco-TTA(config)#username admin privilege 15 password 0 cisco
Cisco-TTA(config)#snmp-server community <string> RO
Cisco-TTA(config)#snmp-server community <string> RW
Cisco-TTA(config)#description ****Management interface******
Cisco-TTA(config)#ip address <IP address> <Subnet Mask>
Cisco-TTA# conf t
Cisco-TTA(config)#ip nbar classification tunneled-traffic capwap
Cisco TTA can be managed from DNAC. Currently you cannot change configuration on the appliance but check the status of the appliance, configuration, ports etc.
Go to Menu, Provision -> Devices -> Inventory and add the device under a site. If you don’t have a site, create one by going Design > Network Hierarchy menu.
Note: The serial number should be updated, Device Series is Cisco DNAC Traffic Telemetry Appliances.
If you double click the Device Name entry for e.g: Entourage-TTA, it opens a screen that let you see overall appliance status.
Note: For Endpoints to be visibility is Endpoint Analytics, the network device connected to the Endpoint should be added in the DNAC inventory. This requirement is being addressed in the future DNAC releases/patches. Endpoints will not be visible in EA without this step.
Go to Menu, Provision > Application visibility, if this is the first time you are in application visibility you have to go through a wizard shown below. Select the device to enable CBAR and proceed to next step. If not, select the device from the list and click ‘Enable CBAR’ button.
Once CBAR is enabled, the deployment status will show completed.
You can verify if AVC(Application Visibility Control) service is enabled in the box, by logging into the Cisco Traffic Telemetry Appliance and executing following CLI command.
Cisco-TTA#sh avc sd-service info summary
Device ID: Cisco-TTA
Device segment name: AppRecognition
Device address: 10.1.100.90
Device OS version: 17.03.01
Device type: DN-APL-TTA-M
Type : Primary
IP : 10.1.100.24
Version : 4.0.0
Last connection: *02:26:00.000 UTC Sat Sep 5 2020
Both Cat9k and Telemetry box collects endpoint metadata using Deep Packet Inspection of packet flows. This is further sent to NBAR cloud for analysis and for detecting unknown protocol signatures. To allow this to happen, DNAC appliance need to be tethered to the cloud.
Note: You can get this credential by clicking on “Cisco API Console” from the panel that opens up a portal. Login with you CCO id, create a new app, select the options corresponding to NBAR cloud and complete the form. At the end of it you will get a Client ID and Secret.
Login to the Cisco TTA appliance and from the CLI go to the interface connected to SPAN port of your distribution. Do a “no shut”, on the Gig/Ten Gig interface from the CLI.
Go to Endpoint Analytics application as mentioned below to start the UI. You have to open the left panel by clicking the icon to the left of DNA Center from the hamburger menu
From DNAC UI: Go to Policy > AI Endpoint Analytics to start the UI.
You will see the “Total Endpoints” on the left and “AI Proposals” on the right.
Total Endpoints will show endpoints that are Unknown (not profiled), endpoints partially profiled ( Missing Profiles), and endpoints that are fully profiled.
It takes a while for ML grouping to show enough clusters, give it a few hours. You will see the following screen, with Active Points (Fully Classified, and labels for missing classification).
You will see the AI proposals getting populated to the right side of the screen.
When you click on ‘Endpoint Inventory’ tab on top of the screen above, you can see a list of Endpoints in the inventory. ‘Profiling Rules’ will give you list of rules used for profiling including Custom rules, AI Rules you create.
To look at Endpoint details. Click on the MAC address under ‘Endpoint inventory’ tab. A UI side panel opens up from the right. It shows list of protocols and attributes collected. You can also see the type ‘IOTAsset’ attributes that are populated by Endpoint Analytics. These attribute/values will be sent to ISE. Do not close this browser.
Warning: When enabled, this will change the profile of all the endpoints that matches causing massive reprofiling in ISE deployment. Avoid doing this in a production ISE system. Create custom policy in ISE with care per device and/or use Network Device Groups as outlined below.
Login to ISE UI on a different browser tab.
Make note of a few endpoints that needs to be classified by Endpoint Analytics along with ’Total Certainty Factor’ as shown in example below. Let us focus on one endpoint with MAC address “58:0A:20:FA:4F:84”. The total certainty factor is 285.
Here is a list as in the table below that will match what you saw in Endpoint Analytics UI screen under “IOTAsset”. Also make note of the “Calling station ID”.
|assetHwRevision||Cisco IP Phone 8945^^Cisco-IP-Phone^^Cisco-Device|
|assetSwRevision||Cisco IP Phone|
|assetVendor||Cisco Systems, Inc.|
Note: Last but most importantly add a condition with “AssetMACAddress” and use that. If you do not use this, the profile will match all endpoints based on the conditions added. It is very important to include “AssetMACAddress”.
If you are running in a “production ISE” environment you have to add all the conditions, most importantly the condition to check the MAC address before enabling this. You can also add “Calling-station-ID” which is a RADIUS attribute and use MAC address for the value.
Finally enable, two key things are “Minimum certainty factor” on the top and “Policy enabled” option before saving the policy.
The minimum certainty factor of a custom profiling policy we just created is the aggregation of certainty factor of the conditions below.
Importantly the Minimum certainty factor has to be greater than the Total Certainty Factor we saw above for the endpoint in ISE (Context Visibility > Endpoint Classification).
In our case let us make it 300 which is greater than 285. If you are unsure you can have a number like 500 or 1000.
Last step is to create authorization policy and add the custom profile created above.
Before that, you need to consider the level of access you need for different type of devices before and after profiling. Here are some best practices.
Here are the guidelines on security policy for IOT devices, while creating authorization policies pre and post authentication and profiling.
Designing Security policies:
While designing security policies, for NBAR to do Deep Packet Inspection(DPI), remember that it needs to see the application traffic to profile endpoints correctly. So, default ACL should allow application traffic before authentication and after authentication. Here are some recommendations for different type of endpoints.
If you start with limited access or closed mode, use MAC allowed list (or) Register the devices in the Endpoint Analytics UI that creates labels, use these attributes to create custom profile policy in ISE. You can also create Endpoint ID Groups in Cisco ISE and use it for MAC allowed list. Idea is to give more privileges as you know more context. Having that said, there are two types of devices, Critical Infrastructure/Medical IOT devices and IT managed device. Here are few best practices for these.
Critical infrastructure/Medical IOT devices:
Medical IOT should be in its own VN. You can use SGT’s to allow/prevent access between Medical IOT device once it is profiled.
Medical IOT devices may need continuous access for critical patient care. Even if the other Edge switches are down you need continuous access to its resources with fail open. You can add more access restrictions after profiling as needed after testing and observation(monitor mode). Access restrictions should be based on the type of Medical IOT device.
Example 1: MRI machine may need access to PACs server or a Gateway. MRI machine does not need internet access or to other MRI machines. A PAC server should allow access from a Gateway/MRI machine and Doctor’s workstation.
PACs(Picture Archiving and Communications system) is used for image storage and retrieval and use protocols such as DICOM and HL7 to communicate to outside world.
If in doubt, err towards more access not less access when dealing with Critical IOT for infrastructure or Medical IOT for patient care. Availability is very critical for Medical IOT devices.
For IT devices, it can be part of Campus VN and you can use SGT’s to control access between each other. The same approach mentioned above holds good. Alternatively, you can provide limited access if we know the level of access and applications used by IT. For example: printers, scanners, employee mobile devices or BYOD(Bring Your Own Device). Typically, access to DHCP, DNS, AD, print servers and applications are necessary for continuous access to services can be allowed before authentication. More access can be provided at the end of profiling based on SGT(Scalable Group Tags).
E.g.: Printers may need access to Print server and may be to a specific website to download drivers. BYOD may not need access to internal resources.
If you are working with Enterprise IOT devices(Roku, Apple TV etc) that works based multicast or other applications, remember to open those ports and protocols for NBAR to understand the application and identify the endpoints as default access before authentication.
Based on the role, location, and context of the device, you can provide granular access to the device.
Finally, use the ACL and/or SGT in combination with VN in Authorization policy to provide the right level of access.
Final step is to use this Profiling policy in Authorization policy to provide the right level of access.
Note: There are default Authorization profiles already available in ISE. When using default Authorization profile, open it to make sure you assign the right ACL in the Authorization profile. The assignment of VLAN/ACL or SGT can be done under “Common Tasks” inside an Authorization profile.
When assigning SGT, choose the name of the SGT that opens up another drop down to choose the corresponding Virtual Network for SDA deployments. For non-SDA deployments leave this empty.
To create a new Downloadable ACL you can see the corresponding option on the left panel of the screen under Work Centers > Network Access > Policy Elements > Results. Once you create Downloadable ACL, add it to the Authorization profile you created.
Now you need to add a new policy set by clicking ⊕. Type in the name of the policy set. Add a condition by clicking + that opens a Condition Studio, select DEVICE from the Dictionary and Device Type as attribute. Select the new Network Device Group we created above, from the drop down.
enable password lab
aaa authentication login default local
username admin privilege 15 password 0 cisco
enable password <xyx1123!!>
ntp server 184.108.40.206 source GigabitEthernet0/0/5
clock set 18:00:00 1 Jan 2019
(CAPWAP) traffic. Example:
ip nbar classification tunneled-traffic capwap
ip nbar classification granularity fine-grain
description ***** Management port to talk to DNAC ********
ip address <Management IP address of appliance> <Subnet mask>
ip route 0.0.0.0 0.0.0.0 <Gateway IP address>
ip name-server <IP address of DNS server>
Configure Telemetry Box Network Settings
description ****** Ten Gig SPAN ****
description ****Ten Gig SPAN from second distribution***
description ***** Span Traffic ********
description ***** Span Traffic ********
description ***** Span Traffic ********
description ***** Span Traffic ********
description ***** Span traffic ********
description ***** Management port to talk to DNAC ********
ip address <x.x.x.x> <y.y.y.0>
description ***Port used as a backup Management for Router***
EA: Cisco AI Endpoint Analytics: An application running on Cisco DNAC that provides Endpoint visibility and collects asset information from various sources.
DNAC: Cisco DNA Controller: A platform/controller that provides Automation, Assurance and Policy to Enterprise in managing their network.
ISE: Identity Service Engine, a software appliance that provides AAA services, verifies compliance and enforces network access and access control policies.
pxGrid: Platform Exchange Grid Service that exchanges endpoint information between ISE and other Cisco and non-Cisco products.
AAA: Authentication, Authorization and Accounting, that refers to how endpoints and users are authenticated and authorized in the network typically using RADIUS protocol.
SDAVC: Software Defined Application Visibility Control is a service that runs on Cisco DNA Center that gathers application and endpoint information from network used for application recognition and endpoint visibility.
NBAR: Network Based Application Recognition is the sensor engine embedded in the network device that does deep packet inspection of Layer 7 protocols as well as information from Layer 3 and Layer 4 for detecting applications and endpoints in the network.
CBAR: Controller Based Application Recognition is the controller side component in DNAC that enables NBAR in network device.
SPAN: Refers to a connection where a copy of L2 traffic is mirrored from one or more VLANs, ports to a destination.
AI: Artificial Intelligence refers to use of the AI service on DNAC and in the cloud to provide intelligence for endpoint analytics along with crowdsourcing.
ML: Machine Learning refers to algorithm/s used for clustering unknown endpoints for admins to label them that can be used for crowdsourcing.
IOT: Internet of Things are endpoints in an enterprise that has specific purpose and not general purpose endpoints(mobile devices, laptops, printers etc.).
DNS: Domain Name Service, that provides name services to map IP address to a name that is used by applications, products, services to reach a certain destination.(e.g.: Email service, application service, servers, endpoints)